Privacy issues around health data have come into sharp relief during the COVID-19 pandemic. From test and trace apps, to vaccine trials, to data around infection rates, symptoms, treatments and outcomes, health data and the way it is handled, have never been more important.
Health data is given special protection under the GDPR and the UK's Data Protection Act 2018 (DPA18). This includes exemptions to and restrictions on the right of access – the right, under the GDPR, for individuals to obtain certain information in relation to the data a controller is processing about them.
The right of access, or more commonly, subject access, is the right of individuals to obtain a copy of the personal data an organisation holds about them, together with associated information including:
A subject access request (SAR), also known as a Data Subject Access Request (DSAR), is the request made by an individual to exercise the right of access. It doesn't have to be in any prescribed form, and subject to certain requirements, can even be made by a third party on the data subject's behalf.
There are set rules about the time in which you need to respond to a SAR – initially one month which is extendable by two months where the request is complex or you have received a number of requests from the individual. You may also seek clarification about the request where it is genuinely required and you process a large amount of information about the individual.
There are also some limited exemptions from the requirement to comply with a SAR where the request is manifestly unfounded or manifestly excessive. Where responding to a request would involve disclosing personal data which identifies another individual, you don't need to comply unless the individual has consented to the disclosure or it is reasonable to comply with the request without the individual's consent. There are also limited sector-specific exemptions set out in the GDPR and DPA18.
For more on SARs, see here.
Health data is, for obvious reasons, particularly sensitive. Its classification as special data under the GDPR means it attracts additional protections across a number of areas and that includes in relation to SARs. The ICO recently published guidance on responding to SARs which goes into more detail about how to handle a SAR involving health data.
Health data is defined in, to all intents and purposes, the same way in the GDPR and the DPA18 as "personal data relating to the physical or mental health of an individual, including the provision of health care services which reveals information about their health status" (DPA18).
The standard exemptions to responding to a SAR relating to health data apply (although information identifying a health professional acting as such should not normally be withheld even though they are a third party). There are, however, further exemptions which may apply, which are set out largely in Schedule 3, Part 2 of the DPA18.
Under Paragraph 3, Part 2 of Schedule 3 DPA18, there's an exemption from the right of access for health data where it's:
If a SAR relating to health data is made by someone with parental responsibility for an individual under 18 (or 16 in Scotland) or by someone appointed by the court to manage the affairs of an individual incapable of managing them themselves, there is a limited exemption. It applies only to the extent that complying with the SAR would disclose information that:
If you're a health professional, you're exempt from complying with a SAR relating to health data to the extent that to do so would be likely to cause serious harm to the physical or mental health of any individual (not just the individual to whom the data relates). Health professionals include registered medical practitioners, dentists and nurses. A full list is set out in s204 DPA18.
You may also rely on this exemption if you aren't a health professional but, within the last six months, you've obtained an opinion from the appropriate health professional (the one most recently responsible for diagnosis, care or treatment of the individual), that the serious harm test for health data is met. This will only apply where it is reasonable in all the circumstances not to re-consult the health professional.
If you aren't a health professional, you mustn't disclose health data in response to a SAR unless:
The ICO includes the example of a GP's note recommending a medical absence which the individual passes to their employer. That would come within the remit of a SAR asking for "all information you hold about my absences from work" because the individual is already aware of the note's contents.
If you are required to re-consult a health professional, you may consider the SAR to be complex and extend the reply period although you may not be able to tell the individual why you are extending it or why you are withholding information. Any decisions taken should be documented.
Third parties can make SARs provided they are entitled to act on the relevant data subject's behalf, for example, a solicitor may make a SAR on behalf of a client.
However, care should be taken when considering third party SARs. If you're concerned that a third party request is excessive, or for example, you have a question over the robustness of the authority given by the data subject to the third party, then you should contact the individual data subject first if possible and send the information to them in order for them to pass it on to the requester if they choose. If you can't contact the individual, you should respond to the SAR as long as you are satisfied the third party is authorised to act on behalf of the individual.
Valid SARs cannot be made by third parties whose interests may conflict with the individual's, for example, an insurance company needing to access health data to assess a claim. They can only be made in relation to the personal data of a living individual.
Remember that it's not just Article 15 GDPR and the relevant sections of the DPA18 which apply when dealing with SARs. It's particularly important to apply the data protection principles of transparency and to be able to demonstrate your decision making process. This will involve having detailed policies in place about how to respond to SARs and how to assess when and whether exemptions apply.
Keep in mind that SARs can be quite broad in terms of the information they request and can stray well beyond the simplistic and often convenient organisational structure of the data you hold. They often go beyond requiring you to search easily accessible 'records held in a file' and can become complex when the data requested is held in opinions and emails.
Don't underestimate the time and resource required for the 'search and sort' aspect of the more complex SAR; it's not unusual for an email search to involve outputs of thousands of emails. SARs compliance should, in practice, include road-testing exercises to see how well (or not!) your organisation can retrieve data, apply exemptions and provide a copy within the required time frames. A test exercise should lean on the record of processing activity to make sure the test is as rigorous as possible in order to best prepare the organisation.
Lack of SARs readiness can make handling a broad yet perfectly legitimate request much more complex. It can also lead to an inaccurate assessment that the request is excessive, when, in fact, the apparent complexity may be due to lack of readiness to provide an efficient search and response. Lack of transparency (as mentioned above) or lacking the ability to robustly explain decisions for the output can also create risk that could be avoided or certainly minimised with preparation.
Mary Rendle looks at the regulatory framework for medical devices processing NHS health data.
1 of 5 Insights
Thanos Rammos looks at the new regulatory regime for digital healthcare and 'apps by prescription' in Germany.
3 of 5 Insights
Jo Joyce looks at the privacy issues involved in developing contact tracing apps and whether they impact their ultimate success.
4 of 5 Insights
Sally Annereau looks at the proposed changes to the Caldicott Principles which aim to maintain future relevance
5 of 5 Insights